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Abstract. We study quantum protocols among two distrustful parties. Under the sole as- 
sumption of correctness — guaranteeing that honest players obtain their correct outcomes — 
we show that every protocol implementing a non-trivial primitive necessarily leaks infor- 
mation to a dishonest player. This extends known impossibility results to all non-trivial 
primitives. We provide a framework for quantifying this leakage and argue that leakage is a 
good measure for the privacy provided to the players by a given protocol. Our framework 
also covers the case where the two players are helped by a trusted third party. We show that 
despite the help of a trusted third party, the players cannot amplify the cryptographic power 
of any primitive. All our results hold even against quantum honest-but-curious adversaries 
who honestly follow the protocol but purify their actions and apply a different measurement 
at the end of the protocol. As concrete examples, we establish lower bounds on the leakage 
of standard universal two-party primitives such as oblivious transfer. 

Keywords: two-party primitives, quantum protocols, quantum information theory, oblivious 
transfer. 



1 Introduction 

Quantum communication allows to implement tasks which are classically impossible. The most 
prominent example is quantum key distribution [BB84] where two honest players establish a secure 
key against an eavesdropper. In the two-party setting however, quantum and classical cryptography 
often show similar limits. Oblivious transfer [Lo97], bit commitment [May97,LC97], and even fair 
coin tossing [Kit03] are impossible to realize securely both classically and quantumly. On the 
other hand, quantum cryptography allows for some weaker primitives impossible in the classical 
world. For example, quantum coin-flipping protocols with maximum bias of A= — | exist 4 against 
any adversary [CK09] while remaining impossible based solely on classical communication. A few 
other weak primitives are known to be possible with quantum communication. For example, the 
generation of an additive secret-sharing for the product xy of two bits, where Alice holds bit x and 
Bob bit y, has been introduced by Popescu and Rohrlich as machines modeling non-signaling non- 
locality (also called NL-boxes) [PR94]. If Alice and Bob share an EPR pair, they can simulate an 
NL-box with symmetric error probability sin 2 ^ [PR94,BLM + 05]. Equivalently, Alice and Bob can 
implement l-out-of-2 oblivious transfer (1-2-Ot) privately provided the receiver Bob gets the bit 
of his choice only with probability of error sin 2 ^ [Amb05] . It is easy to verify that even with such 
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imperfection these two primitives are impossible to realize in the classical world. This discussion 
naturally leads to the following question: 

— Which two-party cryptographic primitives are possible to achieve using quantum communica- 
tion? 

Most standard classical two-party primitives have been shown impossible to implement securely 
against weak quantum adversaries reminiscent to the classical honest-but-curious (HBC) behav- 
ior [Lo97] . The idea behind these impossibility proofs is to consider parties that purify their actions 
throughout the protocol execution. This behavior is indistinguishable from the one specified by 
the protocol but guarantees that the joint quantum state held by Alice and Bob at any point 
during the protocol remains pure. The possibility for players to behave that way in any two-party 
protocol has important consequences. For instance, the impossibility of quantum bit commitment 
follows from this fact [May97,LC97]: After the commit phase, Alice and Bob share the pure state 
\ip x ) £ Ha ® Ti.B corresponding to the commitment of bit x. Since a proper commitment scheme 
provides no information about x to the receiver Bob, it follows that tr^ \ip°}{ip°\ = to a \^p 1 ){\p 1 \. In 
this case, the Schmidt decomposition guarantees that there exists a unitary [7o,i acting only on 
Alice's side such that l^p 1 ) — (Uq,i <8>Ib)|V' )- In other words, if the commitment is concealing then 
Alice can open the bit of her choice by applying a suitable unitary transform only to her part. 
A similar argument allows to conclude that 1-2-OT is impossible [Lo97]: Suppose Alice is sending 
the pair of bits (b ,bi) to Bob through 1-2-OT. Since Alice does not learn Bob's selection bit, it 
follows that Bob can get bit bo before undoing the reception of b and transforming it into the 
reception of 61 using a local unitary transform similar to f/o,i for bit commitment. For both these 
primitives, privacy for one player implies that local actions by the other player can transform the 
honest execution with one input into the honest execution with another input. 

In this paper, we investigate the cryptographic power of two-party quantum protocols against 
players that purify their actions. This quantum honest-but- curious ( QHBC) behavior is the natural 
quantum version of classical HBC behavior. We consider the setting where Alice obtains random 
variable X and Bob random variable Y according to the joint probability distribution Px,y ■ Any 
Px,y models a two-party cryptographic primitive where neither Alice nor Bob provide input. For 
the purpose of this paper, this model is general enough since any two-party primitive with inputs 
can be randomized (Alice and Bob pick their input at random) so that its behavior can be described 
by a suitable joint probability distribution Px.y ■ If the randomized version Px.y is shown to be 
impossible to implement securely by any quantum protocol then also the original primitive with 
inputs is impossible. 

Any quantum protocol implementing Px,y must produce, when both parties purify their ac- 
tions, a joint pure state £ Haa' <8> 'Hbb 1 that, when subsystems of A and B are measured in 
the computational basis, leads to outcomes X and Y according the distribution Px,y ■ Notice that 
the registers A' and B' only provide the players with extra working space and, as such, do not 
contribute to the output of the functionality (so parties are free to measure them the way they 
want). In this paper, we adopt a somewhat strict point of view and define a quantum protocol 7r 
for Px,y to be correct if and only if the correct outcomes A, Y are obtained and the registers A' 
and B' do not provide any additional information about Y and X respectively since otherwise n 
would be implementing a different primitive Pxx'.yy 1 rather than Px.y- 

The state produced by any correct protocol for Px.y is called a quantum embedding of 
Px,y- An embedding is called regular if the registers A' and B' are empty. Any embedding \ip) £ 
H-AA' 'Ei'Hbb' can be produced in the QHBC model by the trivial protocol asking Alice to generate 
before sending the quantum state in Hbb' to Bob. Therefore, it is sufficient to investigate 
the cryptographic power of embeddings in order to understand the power of two-party quantum 
cryptography in the QHBC model. 

Notice that if X and Y were provided privately to Alice and Bob — through a trusted third party 
for instance — then the expected amount of information one party gets about the other party's 
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output is minimal and can be quantified by the Shannon mutual information I(X; Y) between X 
and Y . Assume that \ip) € Haa< ®'Hbb' is the embedding of Px.y produced by a correct quantum 
protocol. We define the leakage of \ip) as 

:= max{ S(X; BB') - I(X;Y), S(Y; AA') — I(Y; X) } , (1) 

where S(X;BB') (resp. S(Y; AA')) is the information the quantum registers BB' (resp. AA') 
provide about the output X (resp. Y). That is, the leakage is the maximum amount of extra 
information about the other party's output given the quantum state held by one party. It turns 
out that S(X;BB') = S(Y;AA') holds for all embeddings, exhibiting a symmetry similar to 
its classical counterpart I(X;Y) = I(Y;X) and therefore, the two quantities we are taking the 
maximum of (in the definition of leakage above) coincide. 

Contributions. Our first contribution establishes that the notion of leakage is well behaved. We 
show that the leakage of any embedding for Px.y is lower bounded by the leakage of some regular 
embedding of the same primitive. Thus, in order to lower bound the leakage of any correct imple- 
mentation of a given primitive, it suffices to minimize the leakage over all its regular embeddings. 
We also show that the only non- leaking embeddings are the ones for trivial primitives, where a 
primitive Px.y is said to be (cryptographically) trivial if it can be generated by a classical pro- 
tocol against HBC adversaries 5 . It follows that any quantum protocol implementing a non-trivial 
primitive Px.y must leak information under the sole assumption that it produces (X, Y) with the 
right joint distribution. This extends known impossibility results for two-party primitives to all 
non-trivial primitives. 

Embeddings of primitives arise from protocols where Alice and Bob have full control over the 
environment. Having in mind that any embedding of a non-trivial primitive leaks information, 
it is natural to investigate what tasks can be implemented without leakage with the help of a 
trusted third party. The notion of leakage can easily be adapted to this scenario. We show that no 
cryptographic two-party primitive can be implemented without leakage with just one call to the 
ideal functionality of a weaker primitive 6 . This new impossibility result does not follow from the 
ones known since they all assume that the state shared between Alice and Bob is pure. 

We then turn our attention to the leakage of correct protocols for a few concrete universal 
primitives. From the results described above, the leakage of any correct implementation of a prim- 
itive can be determined by finding the (regular) embedding that minimizes the leakage. In general, 
this is not an easy task since it requires to find the eigenvalues of the reduced density matrix 
PA = tiB IV'XV'I ( or equivalently ps = tiA IV'XV'I)- As far as we know, no known results allow us 
to obtain a non-trivial lower bound on the leakage (which is the difference between the mutual 
information and accessible information) of non-trivial primitives. One reason being that in our 
setting we need to lower bound this difference with respect to a measurement in one particular 
basis. However, when Px,y is such that the bit-length of either X or Y is short, the leakage 
can be computed precisely. We show that any correct implementation of 1-2-OT necessarily leaks 
i bit. Since NL-boxes and 1-2-OT are locally equivalent, the same minimal leakage applies to NL- 
boxes [WW05b] . This is a stronger impossibility result than the one by Lo [Lo97] since he assumes 
perfect/statistical privacy against one party while our approach only assumes correctness (while 
both approaches apply even against QHBC adversaries). We finally show that for Rabin-OT and 
1-2-OT of r-bit strings (i.e. ROT r and l-2-OT r respectively), the leakage approaches 1 exponentially 

5 We are aware of the fact that our definition of triviality encompasses cryptographically interest- 
ing primitives like coin-tossing and generalizations thereof for which highly non-trivial protocols ex- 
ist [Moc07,CK09]. However, the important fact (for the purpose of this paper) is that all these primitives 
can be implemented by trivial classical protocols against HBC adversaries. 

6 The weakness of a primitive will be formally defined in terms of entropic monotones for classical two- 
party computation introduced by Wolf and Wullschleger [WW04], see Section 4.2. 
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in r. In other words, correct implementations of these two primitives trivialize as r increases since 
the sender gets almost all information about Bob's reception of the string (in case of ROT r ) and 
Bob's choice bit (in case of l-2-OT r ). These are the first quantitative impossibility results for these 
primitives and certainly the first time the hardness of implementing different flavors of string OTs 
is shown to increase as the strings to be transmitted get longer. 

Finally, we note that our lower bounds on the leakage of the randomized primitives also lower- 
bound the minimum leakage for the standard versions of these primitives 7 where the players choose 
their inputs uniformly at random. While we focus on the typical case where the primitives are run 
with uniform inputs, the same reasoning can be applied to primitives with arbitrary distributions 
of inputs. 

Related Work. Our framework allows to quantify the minimum amount of leakage whereas 
standard impossibility proofs as the ones of [LC97,May97,Lo97,AKSW07,BCS09] do not in general 
provide such quantification since they usually assume privacy for one player in order to show that 
the protocol must be totally insecure for the other player 8 . By contrast, we derive lower bounds for 
the leakage of any correct implementation. At first glance, our approach seems contradictory with 
standard impossibility proofs since embeddings leak the same amount towards both parties. To 
resolve this apparent paradox it suffices to observe that in previous approaches only the adversary 
purified its actions whereas in our case both parties do. If a honest player does not purify his 
actions then some leakage may be lost by the act of irreversibly and unnecessarily measuring some 
of his quantum registers. 

Our results complement the ones obtained by Colbeck in [Col07] for the setting where Alice 
and Bob have inputs and obtain identical outcomes (called single- function computations). [Col07] 
shows that in any correct implementation of primitives of a certain form, an honest-but-curious 
player can access more information about the other party's input than it is available through the 
ideal functionality. Unlike [Col07] , we deal in our work with the case where Alice and Bob do not 
have inputs but might receive different outputs according to a joint probability distributions. We 
show that only trivial distributions can be implemented securely in the QHBC model. Furthermore, 
we introduce a quantitative measure of protocol-insecurity that lets us answer which embedding 
allow the least effective cheating. 

Another notion of privacy in quantum protocols, generalizing its classical counterpart from [CK91,Kus92], 
is proposed by Klauck in [Kla04]. Therein, two-party quantum protocols with inputs for comput- 
ing a function / : X x y — > Z, where X and y denote Alice's and Bob's respective input spaces, 
and privacy against QHBC adversaries are considered. Privacy of a protocol is measured in terms 
of privacy loss, defined for each round of the protocol and fixed distribution of inputs Px',Y' 
by S(B;X\Y) = H{X\Y) - S(X\B,Y), where B denotes Bob's private working register, and 
X:= (X',f(X',Y')), Y:= (Y', f(X', Y')) represent the complete views of Alice and Bob, re- 
spectively. Privacy loss of the entire protocol is then defined as the supremum over all joint input 
distributions, protocol rounds, and states of working registers. In our framework, privacy loss corre- 
sponds to S(X; YB)-I(X; Y) from Alice point's of view and S(Y; XA)-I(X; Y) from Bob's point 
of view. Privacy loss is therefore very similar to our definition of leakage except that it requires 
the players to get their respective honest outputs. As a consequence, the protocol implementing 
Px.y by asking one party to prepare a regular embedding of Px,y before sending her register to 
the other party would have no privacy loss. Moreover, the scenario analyzed in [Kla04] is restricted 

7 The definition of leakage of an embedding can be generalized to protocols with inputs, where it is defined 
as max{sup Vfi S(X; Vb) — I{X; Y) , sup VA S(Va; Y) — I(X; Y)}, where X and Y involve both inputs and 
outputs of Alice and Bob, respectively. The supremum is taken over all possible (quantum) views Va 
and Vb of Alice and Bob obtained by their (QHBC-consistent) actions (and containing their inputs). 

8 Trade-offs between the security for one and the security for the other player have been considered 
before, but either the relaxation of security has to be very small [Lo97] or the trade-offs are restricted 
to particular primitives such as commitments [SR01,BCH + 08]. 
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to primitives which provide the same output f(X, Y) to both players. Another difference is that 
since privacy loss is computed over all rounds of a protocol, a party is allowed to abort which is 
not considered QHBC in our setting. In conclusion, the model of [Kla04] is different from ours even 
though the measures of privacy loss and leakage are similar. [Kla04] provides interesting results 
concerning trade-offs between privacy loss and communication complexity of quantum protocols, 
building upon similar results of [CK91,Kus92] in the classical scenario. It would be interesting to 
know whether a similar operational meaning can also be assigned to the new measure of privacy, 
introduced in this paper. 

A recent result by Kiinzler et al. [KMR09] shows that two-party functions that are securely 
computable against active quantum adversaries form a strict subset of the set of functions which 
are securely computable in the classical HBC model. This complements our result that the sets of 
securely computable functions in both HBC and QHBC models are the same. 

Roadmap. In Section 2, we introduce the cryptographic and information-theoretic notions and 
concepts used throughout the paper. We define, motivate, and analyze the generality of modeling 
two-party quantum protocols by embcddings in Section 3 and define triviality of primitives and 
embeddings. In Section 4, we define the notion of leakage of embeddings, show basic properties 
and argue that it is a reasonable measure of privacy. In Section 5, we explicitly lower bound the 
leakage of some universal two-party primitives. Finally, in Section 6 we discuss possible directions 
for future research and open questions. 

2 Preliminaries 

Quantum Information Theory. Let \tp) AB e Hab be an arbitrary pure state of the joint 
systems A and B. The states of these subsystems are pa — trg IV'X'01 an d Pb = tr^ 
respectively. We denote by S(A) := S(pa) and S(B) := S(pb) the von Neumann entropy (de- 
fined as the Shannon entropy of the eigenvalues of the density matrix) of subsystem A and B 
respectively. Since the joint system is in a pure state, it follows from the Schmidt decomposi- 
tion that S(A) = S(B) (see e.g. [NCOO]). Analogously to their classical counterparts, we can 
define quantum conditional entropy S(A\B) := S(AB) — S(B), and quantum mutual information 
S(A; B) := S(A) + S(B) - S(AB) = S(A) - S(A\B). Even though in general, S(A\B) can be nega- 
tive, S(A\B) > is always true if A is a classical register. Let R — {(P x (x), p R } x ex be an ensemble 
of states p x R with prior probability P x {x). The average quantum state is pr — J2 xeX Px(x)p R - 
The famous result by Holevo upper-bounds the amount of classical information about X that can 
be obtained by measuring pr: 

Theorem 2.1 (Holevo bound [Hol73,Rus02]). Let Y be the random variable describing the 
outcome of some measurement applied to pr for R = {Px{x), p R } xe x ■ Then, I(X; Y) < S(pn) — 
^ x Px{x)S{p x R ) 1 where equality can be achieved if and only if {p R } x ex are simultaneously diago- 
nalizable. 

Note that if all states in the ensemble are pure and all different then in order to achieve equality 
in the theorem above, they have to form an orthonormal basis of the space they span. In this case, 
the variable Y achieving equality is the measurement outcome in this orthonormal basis. 

Dependent Part. The following definition introduces a random variable describing the correla- 
tion between two random variables X and Y, obtained by collapsing all values x\ and X2 for which 
Y has the same conditional distribution, to a single value. 

Definition 2.2 (Dependent part [WW04]). For two random variables X,Y, let f x (x): = 
Py\x=x- Then the dependent part of X with respect to Y is defined as X \ Y := fx(X). 
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The dependent part X \ Y is the minimum random variable among the random variables com- 
putable from X for which X <-» X \ Y <-> V forms a Markov chain [WW04]. In other words, 
for any random variable K = f(X) such that X <-> _K" <-> y is a Markov chain, there ex- 
ists a function g such that = X \ Y. Immediately from the definition we get several 
other properties of X \ Y [WW04]: H(Y\X \ Y) = H(Y\X), I(X;Y) = I(X \ Y; Y), and 
X \ Y = X \ (Y \ X). The second and the third formula yield I(X; Y) = I(X \Y;Y \ X). 

The notion of dependent part has been further investigated in [FWW04,IMNW04,WW05a] . 
Wullschleger and Wolf have shown that quantities H(X \ Y\Y) and H(Y \ X\X) are monotones 
for two-party computation [WW05a]. That is, none of these values can increase during classical 
two-party protocols. In particular, if Alice and Bob start a protocol from scratch then classical 
two-party protocols can only produce (X, Y) such that: H (X \ Y\Y) = H(Y \ X\X) = 0, since 
H(X \ Y\Y) > if and only if H(Y \ X\X) > [WW05a]. Conversely, any primitive satisfying 
H(X \ Y\Y) = H(Y \ X\X) = can be implemented securely in the honest-but-curious (HBC) 
model. We call such primitives trivial 9 . 

Purification. All security questions we ask are with respect to (quantum) honest-but-curious 
adversaries. In the classical honest-but-curious adversary model (HBC), the parties follow the 
instructions of a protocol but store all information available to them. Quantum honest-but-curious 
adversaries (QHBC), on the other hand, are allowed to behave in an arbitrary way that cannot be 
distinguished from their honest behavior by the other player. 

Almost all impossibility results in quantum cryptography rely upon a quantum honest-but- 
curious behavior of the adversary. This behavior consists in purifying all actions of the honest 
players. Purifying means that instead of invoking classical randomness from a random tape, for 
instance, the adversary relies upon quantum registers holding all random bits needed. The opera- 
tions to be executed from the random outcome are then performed quantumly without fixing the 
random outcomes. For example, suppose a protocol instructs a party to pick with probability p 
state \4>°)c an d with probability 1—p state l^ 1 )^ before sending it to the other party through the 
quantum channel C. The purified version of this instruction looks as follows: Prepare a quantum 
register in state y/p\0) R + y/l~^p\l) R holding the random process. Add a new register initially in 
state |0) c before applying the unitary transform U : \r) R \0) c \r) R \(jf) c for r G {0,1}, send 
register C through the quantum channel and keep register R. 

From the receiver's point of view, the purified behavior is indistinguishable from the one re- 
lying upon a classical source of randomness because in both cases, the state of register C is 
p = p\<fi°)((f> \ + (1 — p)\(j> 1 ){(f) 1 \. All operations invoking classical randomness can be purified simi- 
larly [LC97,May97,Lo97,Kcn04]. The result is that measurements are postponed as much as pos- 
sible and only extract information required to run the protocol in the sense that only when both 
players need to know a random outcome, the corresponding quantum register holding the random 
coin will be measured. If both players purify their actions then the joint state at any point during 
the execution will remain pure, until the very last step of the protocol when the outcomes are 
measured. 

Secure Two-Party Computation. In Section 5, we investigate the leakage of several universal 
cryptographic two-party primitives. By universality we mean that any two-party secure function 
evaluation can be reduced to them. We investigate the completely randomized versions where 
players do not have inputs but receive randomized outputs instead. Throughout this paper, the 
term primitive usually refers to the joint probability distribution defining its randomized version. 
Any protocol implementing the standard version of a primitive (with inputs) can also be used to 
implement a randomized version of the same primitive, with the "inputs" chosen according to an 
arbitrary fixed probability distribution. 



See Footnote 5 for a caveat about this terminology. 
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3 Two-Party Protocols and Their Embeddings 



3.1 Correctness 

In this work, we consider cryptographic primitives providing X to honest player Alice and Y to 
honest player Bob according to a joint probability distribution Px.y ■ The goal of this section is to 
define when a protocol 7r correctly implements the primitive Px.y ■ The first natural requirement 
is that once the actions of 7r are purified by both players, measurements of registers A and B in 
the computational basis 10 provide joint outcome (X, Y) — (x,y) with probability Pxy(x,y). 

Protocol 7r can use extra registers A' on Alice's and B' on Bob's side providing them with 
(quantum) working space. The purification of all actions of tt therefore generates a pure state 
\ip) € TLab <&TtA>B>- A second requirement for the correctness of the protocol it is that these extra 
registers are only used as working space, i.e. the final state \^)aba'B' ^ s sucn that the content 
of Alice's working register A' does not give her any further information about Bob's output Y 
than what she can infer from her honest output X and vice versa for B'. Formally, we require 
that S{XA':Y) = I{X:Y) and S(X; YB') = I(X;Y) or equivalently, that A' <-» X <-» Y and 
X <-» Y <-> B' form Markov chains 11 . 

Definition 3.1. A protocol n for Pxy is correct if measuring registers A and B of its final state 
in the computational basis yields outcomes X and Y with distribution Px.y and the final state 
satisfies S(X;YB') — S(XA';Y) — I(X;Y) where A' and B' denote the extra working registers of 
Alice and Bob. The state \ip) <G Hab ®7~Ia'B' is called an embedding of Px.y if it can be produced 
by the purification of a correct protocol for Px.y- 

We would like to point out that our definition of correctness is stronger than the usual classical 
notion which only requires the correct distribution of the output of the honest players. For example, 
the trivial classical protocol for the primitive Pxy m which Alice samples both player's outputs 
XY, sends Y to Bob, but keeps a copy of Y for herself, is not correct according to our definition, 
because it implements a fundamentally different primitive, namely Pxy,y- 

3.2 Regular Embeddings 

We call an embedding \iP)aba'B' re 9 u ^ ar if the working registers A',B' are empty. Formally, let 
<9n,m : = {0 ■ {0, 1}™ x {0, l} m — > [0 . . . 2n)} be the set of functions mapping bit-strings of length 
m + nto real numbers between and 2ir. 

Definition 3.2. For a joint probability distribution Pxy where X e {0, 1}™ and Y <E {0, l} m , we 
define the set 



and call any state \i[>) e £(Px,y) a regular embedding of the joint probability distribution Pxy ■ 

10 It is clear that every quantum protocol for which the final measurement (providing (a;, y) with distribu- 
tion Pxy to the players) is not in the computational basis can be transformed into a protocol of the 
described form by two additional local unitary transformations. 

11 Markov chains with quantum ends have been defined in [DFSS07] and used in subsequent works such 
as [FS09]. It is straightforward to verify that the entropic condition S(XA'; Y) — I(X; Y) is equivalent 
to A' <-» X <-> Y being a Markov chain and similarly for the other condition. 




7 



Clearly, any G £(Px,y) produces {X,Y) with distribution Pxy since the probability that 
Alice measures x and Bob measures y in the computational basis is | (tp\x, y) | 2 = Pxy(x,y). In 
order to specify a particular regular embedding one only needs to give the description of the 
phase function 9(x,y). We denote by \ipg) G £{Px,y) the quantum embedding of Px,y with phase 
function 9. The constant function 9(x,y) :— for all x G {0, l} n ,y G {0, l} m corresponds to what 
we call canonical embedding \ipo) ^ x yJPxy{x,y)\x, y) AB ■ 

In Lemma 4.3 below we show that every primitive Px.y has a regular embedding which is in 
some sense the most secure among all embeddings of Px.y- 

3.3 Trivial Classical Primitives and Trivial Embeddings 

In this section, we define triviality of classical primitives and (bipartite) embeddings. We show 
that for any non-trivial classical primitive, its canonical quantum embedding is also non-trivial. 
Intuitively, a primitive Px,y is trivial if X and Y can be generated by Alice and Bob from scratch 
in the classical honest-but-curious (HBC) model 12 . Formally, we define triviality via an entropic 
quantity based on the notion of dependent part (see Section 2). 

Definition 3.3. A primitive Px.y is called trivial if it satisfies H(X \ Y\Y) = 0, or equivalently, 
H(Y \ X\X) = 0. Otherwise, the primitive is called non-trivial. 

Definition 3.4. A regular embedding \i>) AB G £{Px.y) is called trivial if either S(X \ Y\B) = 
or S(Y \ X\A) = 0. Otherwise, we say that \i>) AB * s non-trivial. 

Notice that unlike in the classical case, S(X \ Y\B) = 0^ S(Y \ X\A) = does not hold in gen- 
eral. As an example, consider a shared quantum state where the computational basis corresponds 
to the Schmidt basis for only one of its subsystems, say for A. Let \xjj) = o;|0) a |£o)b + /?|1)aI£i).b 
be such that both subsystems are two-dimensional, {|£o)j ^ {|0))|l)}i (£o|£i) = 0, and 

K£o|0)| ^ |<fi|0)|. We then have S(X\B) = and S(Y\A) > while X = X \ Y and Y = Y \ X. 

To illustrate this definition of triviality, we argue in the following that if a primitive Px.y 
has a trivial regular embedding, there exists a classical protocol which generates X, Y securely 
in the HBC model. Let \tp) G £{Pxy) be trivial and assume without loss of generality that 
S(Y \ X\A) = 0. Intuitively, this means that Alice can learn everything possible about Bob's 
outcome Y (Y could include some private coin-flips on Bob's side, but that is "filtered out" by the 
dependent part). More precisely, Alice holding register A can measure her part of the shared state 
to completely learn a realization of Y \ X, specifying Px\y= v - She then chooses X according to 
the distribution Pxy=y An equivalent way of trivially generating (X, Y) classically is the following 
classical protocol: 

1. Alice samples Px\Y= y ' from distribution Py\x and announces its outcome to Bob. She samples 
x from the distribution Px\Y= y '- 

2. Bob picks y with probability Py\y\x=p x]y _ v , ■ 

Of course, the same reasoning applies in case S(X \ Y\B) = with the roles of Alice and Bob 
reversed. 

In fact, the following lemma (proven in Appendix B) shows that any non-trivial primitive Pxy 
has a non-trivial embedding, i.e. there exists a quantum protocol correctly implementing Pxy 
while leaking less information to QHBC adversaries than any classical protocol for Pxy in the 
HBC model. 

Lemma 3.5. If Pxy is a non-trivial primitive then the canonical embedding \ipo) G £{Pxy) is 
also non-trivial. 

12 See Footnote 5 for a caveat about this terminology. 
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4 The Leakage of Quantum Embeddings 



We formally define the leakage of embeddings and establish properties of the leakage. The proofs 
of all statements in this section can be found in Appendix C. 

4.1 Definition and Basic Properties of Leakage 

A perfect implementation of Px.y simply provides X to Alice and Y to Bob and does nothing 
else. The expected amount of information that one random variable gives about the other is 
I{X:Y) = H(X) - H(X\Y) = H{Y) - H{Y\X) = I(Y;X). Intuitively, we define the leakage of 
a quantum embedding \ip) aba'b 1 °f Px.y as the larger of the two following quantities: the extra 
amount of information Bob's quantum registers BB' provide about X and the extra amount Alice's 
quantum state in AA' provides about Y respectively in comparison to "the minimum amount" 
I(X;Y). 13 

Definition 4.1. Let \i[>) e HabA'B' be an embedding of Px.y- We define the leakage \i[>) as 

M P x,y) ■= max{5(A; BB') - I(X; Y) , S(AA'; Y) - I(X; Y)} . 
Furthermore, we say that \tp) is <5-leaking if A^p(Pxy) > 5 . 

It is easy to see that the leakage is non-negative since S(X; BB') > S(X; B) for B the result of 
a quantum operation applied to BB' . Such an operation could be the trace over the extra working 
register B' and a measurement in the computational basis of each qubit of the part encoding Y, 
yielding S(X;B) = I(X; Y). 

We want to argue that our notion of leakage is a good measure for the privacy of the player's 
outputs. In the same spirit, we will argue that the minimum achievable leakage for a primitive 
is related to the "hardness" of implementing it. We start off by proving several basic properties 
about leakage. 

For a general state ihHaba'B' the quantities S(X; BB') — I(X; Y) and S(AA'; Y) — I(X; Y) are 
not necessarily equal. Note though that they coincide for regular embeddings € £{Pxy) pro- 
duced by a correct protocol (where the work spaces A' and B' are empty): Notice that S(X; B) = 
S(X) + S(B) - S(X, B) = H(X) + S(B) - H(X) = S(B) and because |V) is pure, S(A) = S(B). 
Therefore, S(X;B) = S(A;Y) and the two quantities coincide. The following lemma states that 
this actually happens for all embeddings and hence, the definition of leakage is symmetric with 
respect to both players. 

Lemma 4.2 (Symmetry). Let \i[>) e HabA'B' be an embedding of Px,y- Then, 

A/,(Px,y) - S(X; BB') - L(X; Y) = S(AA'; Y) - L(X; Y) . 

The next lemma shows that the leakage of an embedding of a given primitive is lower-bounded 
by the leakage of some regular embedding of the same primitive, which simplifies the calculation 
of lower bounds for the leakage of embeddings. 

Lemma 4.3. For every embedding of a primitive Px.y , there is a regular embedding \if>') of 
Px.y such that A^(P x ,y) > A^{P x ,y). 

13 There are other natural candidates for the notion of leakage such as the difference in difficulty between 
guessing Alice's output X by measuring Bob's final quantum state B and based on the output of the 
ideal functionality Y. While such definitions do make sense, they turn out not to be as easy to work 
with and it is an open question whether the natural properties described later in this section can be 
established for these notions of leakage as well. 
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So far, we have defined the leakage of an embedding of a primitive. The natural definition of 
the leakage of a primitive is the following. 

Definition 4.4. We define the leakage of a primitive Pxy as the minimal leakage among all 
protocols correctly implementing Px.y ■ Formally, 

a Px.y : = minA/,(-Px,r) , 
m 

where the minimization is over all embeddings \ip) of Pxy- 

Notice that the minimum in the previous definition is well-defined, because by Lemma 4.3, it is suf- 
ficient to minimize over regular embeddings \ip) € £(Pxy)- Furthermore, the function A^,(Pxy) 
is continuous on the compact (i.e. closed and bounded) set [0, 27r]'* ,: ' x - i; ' of complex phases corre- 
sponding to elements \x,y) AB in the formula for AB G £(Px,y) and therefore it achieves its 
minimum. 

The following theorem shows that the leakage of any embedding of a primitive Px.y is lower- 
bounded by the minimal leakage achievable for primitive Px\y,y\x (which due to Lemma 4.3 is 
achieved by a regular embedding) . 

Theorem 4.5. For any primitive Px.y, Ap x Y > Ap x ^ Y rXvX ■ 

Proof (Sketch). The proof idea is to pre-process the registers storing X and Y in a way allowing 
Alice and Bob to convert a regular embedding of Px.y (for which the minimum leakage is achieved) 
into a regular embedding of Px\y,y\x by measuring parts of these registers. It follows that on 
average, the leakage of the resulting regular embedding of Px\y,y\x is at most the leakage of 
the embedding of Pxy the players started with. Hence, there must be a regular embedding of 
Px\y,y\x leaking at most as much as the best embedding of Pxy- See Appendix C.3 for the 
complete proof. □ 



4.2 Leakage as Measure of Privacy and Hardness of Implementation 

The main results of this section are consequences of the Holevo bound (Theorem 2.1). 

Theorem 4.6. // a two-party quantum protocol provides the correct outcomes of Pxy to the 
players without leaking extra information, then Pxy must be a trivial primitive. 

Proof. Theorem 4.5 implies that if there is a 0-leaking embedding of Pxy than there is also 
a 0-leaking embedding of Px\y,y\x- Let us therefore assume that is a non-leaking em- 
bedding of Pxy such that X = X \ Y and Y = Y \ X. We can write \tp) in the form 
W) = Y.x \f p x(x)\x)\Vx) and get p B = J2x p x(x)\<p x ){<Px\- For the leakage of we have: 
A^Pxy) = S(X; B) - I(X; Y) = S{p B ) - I(X; Y) = 0. From the Holevo bound (Theorem 2.1) 
follows that the states {|<Pie)}ie form an orthonormal basis of their span (since X = X \ Y, they 
are all different) and that Y captures the result of a measurement in this basis, which therefore is 
the computational basis. Since Y = Y \ X, we get that for each x, there is a single y x G y such 
that \<p x ) = \y x ). The primitives Px\y,y\x and Pxy are therefore trivial. □ 

In other words, the only primitives that two-party quantum protocols can implement correctly 
(without the help of a trusted third party) and without leakage are the trivial ones! We note 
that it is not necessary to use the strict notion of correctness from Definition 3.1 in this theorem, 
but a more complicated proof can be done solely based on the correct distribution of the values. 
This result can be seen as a quantum extension of the corresponding characterization for the 
cryptographic power of classical protocols in the HBC model. Whereas classical two-party protocols 
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cannot achieve anything non-trivial, their quantum counterparts necessarily leak information when 
they implement non-trivial primitives. 

The notion of leakage can be extended to protocols involving a trusted third party (see Ap- 
pendix C.6). A special case of such protocols are the ones where the players are allowed one call 
to a black box for a certain non-trivial primitive. It is natural to ask which primitives can be 
implemented without leakage in this case. As it turns out, the monotones H(X \ Y\Y) and 
H(Y \ X\X), introduced in [WW04], are also monotones for quantum computation, in the 
sense that all joint random variables X',Y' that can be generated by quantum players with- 
out leakage using one black-box call to P x ,y satisfy H(X' \ Y'\Y') < H(X \ Y\Y) and 
H(Y' \ X'\X') < H(Y \ X\X). 

Theorem 4.7. Suppose that primitives P x .y and P x >,y> satisfy H{X' \ Y'\Y') > H(X \ Y\Y) 
or H(Y' \ X'\X') > H(Y \ X\X). Then any implementation of Px>,Y' using just one call to 
the ideal functionality for Px.y leaks information. 

4.3 Reducibility of Primitives and Their Leakage 

This section is concerned with the following question: Given two primitives Px.y an d Px',y' such 
that Px,y is reducible to Px',Y'i what is the relationship between the leakage of Px,y an d the 
leakage of P X 'y? We use the notion of reducibility in the following sense: We say that a primitive 
Px,y is reducible in the HBC model to a primitive Px>,y> if Px,y can be securely implemented in 
the HBC model from (one call to) a secure implementation of Px>,y> ■ The above question can also 
be generalized to the case where Px,y can be computed from Px'.y only with certain probability. 
Notice that the answer, even if we assume perfect reducibility, is not captured in our previous 
result from Lemma 4.3, since an embedding of Px'.y is not necessarily an embedding of Px.y (it 
might violate the correctness condition). However, under certain circumstances, we can show that 
A Px , Y ,>A PxY . 

Theorem 4.8. Assume that primitives Px.y and Px>,y> = Px' a x[.Y^Y{ satisfy the condition: 

J2 P x[ y;(x,y)>l-5, 

X,V-P X ' Y'\X'-x Y'-v — P X,Y 

where the relation ~ means that the two distributions are equal up to relabeling of the alphabet. 
Then, A Px , y , > (l-5)A PxY . 

This theorem allows us to derive a lower bound on the leakage of l-out-of-2 Oblivious Transfer of 
r-bit strings in Section 5. 

5 The Leakage of Universal Cryptographic Primitives 

In this section, we exhibit lower bounds on the leakage of some universal two-party primitives, see 
Appendix A for an overview of these primitives. In the following table, ROT r denotes the r-bit string 
version of randomized Rabin OT, where Alice receives a random r-bit string and Bob receives the 
same string or an erasure symbol, each with probability 1/2. Similarly, l-2-OT r denotes the string 
version of 1-2-OT, where Alice receives two r-bit strings and Bob receives one of them. By l-2-OT p 
we denote the noisy version of 1-2-OT, where the 1-2-OT functionality is implemented correctly 
only with probability 1 — p. Table 1 summarizes the lower bounds on the leakage of these primitives 
(the derivations can be found in Appendix D) . We note that Wolf and Wullschlcger [WW05b] have 
shown that a randomized 1-2-OT can be transformed by local operations into an additive sharing 
of an AND (here called sand). Therefore, our results for 1-2-OT below also apply to sand. 
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primitive 


leaking at least 


comments 


ROT 1 


(Mi) - 3) « 0.311 


same leakage for all regular embeddings 


ROT r 


(l-0(r2-)) 


same leakage for all regular embeddings 


1-2-OT, SAND 


1 

2 


minimized by canonical embedding 


l-2-OT r 


{l-0{r2-r)) 


(suboptimal) lower bound 


1-2-OTp 


(l/2-p- A /p(l-p)J" 
81n2 


if p < sin (tt/8) ~ 0.15, (suboptimal) lower bound 



Table 1. Lower bounds on the leakage for universal two-party primitives 



l-2-OT r and 1-2-OTp are primitives where the direct evaluation of the leakage for a general 
embedding \ipg) is hard, because the number of possible phases increases exponentially in the 
number of qubits. Instead of computing S(A) directly, we derive (suboptimal) lower bounds on the 
leakage. 

Based on the examples of ROT r and 1-2-OT, it is tempting to conjecture that the leakage is 
always minimized for the canonical embedding, which agrees with the geometric intuition that the 
minimal pairwise distinguishability of quantum states in a mixture minimizes the von Neumann 
entropy of the mixture. However, Jozsa and Schlienz have shown that this intuition is sometimes 
incorrect [JS00]. In a quantum system of dimension at least three, we can have the following 
situation: For two sets of pure states {|uj}}" =1 and {|vi)}" =1 satisfying |(u»|itj)| < for all 

there exist probabilities pi such that for p u := Y^i=iPi\ u i)( u i\> P v := Y^i=i Pi \ v iK v i\> it holds 
that S(p u ) < S(p v ). As we can see, although each pair \uj) is more distinguishable than the 
corresponding pair \vi), \vj), the overall p u provides us with less uncertainty than p v . It follows that 
although for the canonical embedding \ipo) = J2 y \<Pv)\y) °f Px,y the mutual overlaps |(Vi/|¥V)| are 
clearly maximized, it does not necessarily imply that S(A) in this case is minimal over £ (Px,y)- It 
is an interesting open question to find a primitive whose canonical embedding does not minimize 
the leakage or to prove that no such primitive exists. 

For the primitive Px v Y , our lower bound on the leakage only holds for p < sin 2 (7r/8) s=s 0.15. 
Notice that in reality, the leakage is strictly positive for any embedding of Px"y with p < 1/4, 
since for p < 1/4, Px P y 1S a non-trivial primitive. On the other hand, P x ^y is a trivial primitive 
implemented securely by the following protocol in the classical HBC model: 

1. Alice chooses randomly between her input bits Xq and x\ and sends the chosen value x a to 
Bob. 

2. Bob chooses his selection bit c uniformly at random and sets y := x a . 

Equality x c = y is satisfied if cither a = c, which happens with probability 1/2, or if a =/= c and 
x a = xi- a , which happens with probability 1/4. Since the two events arc disjoint, it follows that 
x c = y with probability 3/4 and that the protocol implements P X y 4 . The implementation is clearly 
secure against honest-but-curious Alice, since she does not receive any message from Bob. It is also 
secure against Bob, since he receives only one bit from Alice. By letting Alice randomize the value 
of the bit she is sending, the players can implement P°x P Y securely for any value l/4<p<l/2. 

6 Conclusion and Open Problems 

We have provided a quantitative extension of qualitative impossibility results for two-party quan- 
tum cryptography. All non-trivial primitives leak information when implemented by quantum 
protocols. Notice that demanding a protocol to be non- leaking does in general not imply the pri- 
vacy of the players' outputs. For instance, consider a protocol implementing 1-2-OT but allowing a 
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curious receiver with probability ^ to learn both bits simultaneously or with probability | to learn 
nothing about them. Such a protocol for 1-2-OT would be non-leaking but nevertheless insecure. 
Consequently Theorem 4.6 not only tells us that any quantum protocol implementing a non-trivial 
primitive must be insecure, but also that a privacy breach will reveal itself as leakage. Our frame- 
work allows to quantify the leakage of any two-party quantum protocol correctly implementing a 
primitive. The impossibility results obtained here are stronger than standard ones since they only 
rely on the cryptographic correctness of the protocol. Furthermore, we present lower bounds on 
the leakage of some universal two-party primitives. 

A natural open question is to find a way to identify good embeddings for a given primitive. 
In particular, how far can the leakage of the canonical embedding be from the best one? Such a 
characterization, even if only applicable to special primitives, would allow to lower bound their 
leakage and would also help to understand the power of two-party quantum cryptography in a 
more concise way. 

It would also be interesting to find a measure of cryptographic non-triviality for two-party 
primitives and to see how it relates to the minimum leakage of any implementation by quantum 
protocols. For instance, is it true that quantum protocols for primitive Px,y leak more if the 
minimum (total variation) distance between Px.y and any trivial primitive increases? 

Another question we leave for future research is to define and investigate other notions of leak- 
age, e.g. in the one-shot setting instead of in the asymptotic regime (as outlined in Footnote 13). 
Results in the one-shot setting have already been established for data compression [RW05], chan- 
nel capacities [RWW06], state- merging [WR07,Bcr08] and other (quantum-) information-theoretic 
tasks. 

Furthermore, it would be interesting to find more applications for the concept of leakage, 
considered also for protocols using an environment as a trusted third party. In this direction, we 
have shown in Theorem 4.7 that any two-party quantum protocol for a given primitive, using a black 
box for an "easier" primitive, leaks information. Lower-bounding this leakage is an interesting open 
question. We might also ask how many copies of the "easier" primitive are needed to implement 
the "harder" primitive by a quantum protocol, which would give us an alternative measure of 
non-triviality of two-party primitives. 
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A Cryptographic Primitives 

Here we list the standard cryptographic primitives studied in this paper. 

String Rabin OT (ROT r ): [Rab81] Alice sends a random string of r bits to Bob who receives 
it with probability 1/2, otherwise he receives a special symbol _L. Alice does not learn any 
information about whether Bob has received the string she sent. 

One-out-of-two String OT (l-2-OT r ): [Wie83,EGL82] Alice sends two random r-bit strings 
to Bob who decides which of them he receives. Bob does not learn any information about the 
other one of Alice's strings and Alice does not learn which of the strings has been received by 
Bob. 

Additive sharing of AND (sand): [PR94] Alice and Bob choose their respective input bits x 
and y, and receive the output bits a resp. b such that a(Bb — x hy and Pr[a = 0] = 1/2. They 
do not get any other information. 

Noisy one-out-of-two OT (l-2-OT p ): Alice sends two bits to Bob who decides which of them 
he wants to receive. The selected bit is transmitted to him over a noisy channel with noise rate 
p. Bob does not learn any information about the other one of Alice's bits and Alice does not 
learn any information about Bob's selection bit. 

We present a description of the randomized versions of the primitives in the following: 
String Rabin OT (ROT r ): For x G {0, l} r and y e {0, l} r U {_L}: 

X > YX ,yj \0 otherwise, 

is the joint probability distribution associated to an execution of Rabin OT of a random binary 
string of length r. 
One-out-of-two OT (1-2-OT): For x , x\, y, c e {0,1}: 



^>((*o,*i),(c,y)) 



| if y = x c , 
otherwise, 



is the joint probability distribution for the execution of one-out-of-two OT upon random input 
bits. 
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One-out-of-two String OT (l-2-OT r ): For x ,X!,ye {0, l} r and c e {0, 1}, let 

^^'^)'(^)) = {r" 1 othe7wis C ; 

is the joint probability distribution associated to an execution of one-out-of-two r-bit string 
OT upon random inputs. 
Additive Sharing of AND (sand): For x,y,a,b e {0,1}: 



P$, Y ((x,aUy,b)) 



| if xy — a ® b, 
otherwise, 



is the joint probability distribution associated to the generation of an additive sharing for the 
and of two random bits. 
Noisy one-out-of-two OT (l-2-OT p ): For x , xi,y,c£ {0, 1} and p e (0, 1/2): 

P^V((x , 2 ; 1 ),( C , 2/ )) = (7 £ify = ' Tc ' 



otherwise 



is the joint probability distribution associated to an execution of one-out-of-two OT where the 
selected bit is received through a binary symmetric channel with error rate p. 



B Proof of Lemma 3.5 

A non-trivial embedding of Px,y can be created from a non-trivial embedding of Px\y,y\x by 
applying local unitary transforms. We therefore assume without loss of generality that X = X \ Y 
and Y = Y \ X. Let 

\tpo) ■= ^2 yJp x ,Y(x,y)\x,y) 

x,y 

be the canonical embedding of Px,y- Since X = X \ Y and Y = Y \ X, it holds for any xo 7^ x\ 
that Py\x=x 7^ Py\x=xi- Furthermore, since Px,y is non-trivial, there exist x 7^ x\ and y such 
that Py\x=x (Vo) > and fy|x=xi(j/o) > 0. The state \tpo) can be written in the form: 

llM = y/Px(x )\x ) ^ P Y\x= X0 {y)\y) + y/Px(xi)\xi) ^ x= Xl (y)\y) + IV'')) 
y y 

where tr(|x )(x | tr B = tv(\ Xl )( Xl \ tr B = 0. Set |^) := J2 y V P Y\x=x b (y)\y) ^ 

& G {0,1}- Since /V|x=x 7^ ^V|x=xi> we g e t that K^ 110 !^^ 1 )! < 1. Because all coefficients at \y) 
in the normalized vectors l^ ) and \ip Xl ) are non-negative, and the coefficients at \yo) are both 
positive, (f x " \ip Xl ) 7^ 0. Therefore, the non-identical states \<p x ") and \ f Xl ) cannot be perfectly 
distinguished, which implies that Bob cannot learn whether X = xq or X = x\ with probability 
1. Therefore, the von Neumann entropy on Bob's side S(B) is such that S(B) < H{X). As 
H(X \ Y\Y) > implies H(Y \ X\X) > 0, we can argue in the same way that S(A) < H(Y) 
from which follows that IV'o) is a non-trivial quantum embedding of Px,y- □ 



C Proofs of Properties of Leakage 
C.l Proof of Lemma 4.2 

We have already shown that the statement is true in the case where both A' and B' are trivial. 
In the case where A' is trivial and B' is not, the Markov chain condition implies that is of the 
form 

= \j p x,Y{x,y)\x,y) ab \lp v ) B , , 
x,y 



1G 



hence, Bob can fix y and apply a unitary transform U B B' on his part of the system, such that 

u B B>\y,(p v ) = \y,v va ), and 

u®u BB ,\ip) ABB , = \r) AB ®\<p y °) B ,, 

where \ip*) e E(P x ,y)- In the resulting product state, S(X; BB') — I(X; Y) = S(X; B) — I(X; Y) = 
S(A; Y) — I(X; Y), due to the fact that \ip*) £ £{Px,y)- An analogous statement holds in the case 
where B' is trivial and A' is non-trivial. 

We now assume that both A' and B' are non-trivial. An embedding of Px,y can be written as 
\Tp) = E x , v V p x,Y(x,y)\x,y) AB \^y) A , B ,. 

For every x and y, we can write the pure state 

fe=i 

in Schmidt form. For the reduced density matrices, we obtain 

k 

Since any embedding \ip) S Haba'B' of is produced by a correct protocol, it satisfies 

S(XA'; B) = S(X; YB') = I{X; Y) 

which is equivalent to A' <-» X <-» y and X «-> y <-> £>' being Markov chains. It follows that 
for every x and y ^ y', the reduced density matrices p A F = p A F — p x A , coincide and therefore, 
the eigenvalues X^' v cannot depend on y. Because of X ^> Y <-> £?', they can neither depend on 
x. Hence, \(p x,v ) = ^2 k \fX~k~e ie ^ k ^ x ^ |e^) |/|). The phase factors arise from the fact that from a 
reduced density matrix the global phases of the Schmidt-basis elements cannot be determined. 

Let us fix a set of orthogonal states {|fc)}fc. We define the unitary U aa 1 to be the mapping of 
the orthonormal states {|e|)}fe into the orthonormal states Note that Uaa 1 only acts on 

register A' conditioned on the x-value in A. Analogously, let U BB ' map the states {\f%)}k into 
{|fc)}fc. Applying Uaa' <8> U BB > to results into state 

£*,„ y/Px,Y(*,y)\x, v)ab E fc vW**™) |fc, k) A , B , 
= E fe VA^ (Ex lS VPx.Y(x,y)e^'( k ^ \x, y)) \k, k) 

Efc V^k\tPk)A B ® fc >A'B' . 

where each \tpk) ab "= ^(■Px'.y)- The cqq-state pxbb 1 can now be written in the form: 

Pxbb> = p x(x)\x)(x\ ® J] \ k \4>%,k)(<t>l, k\ , 

where |</>jj!) = ^ y \/-FV|x=a;e 4e ( k,x,y>> \y). Due to the second component, the states \(f>%, k) are mu- 
tually orthogonal for each x. Therefore, for each x, 

S^2\ k \4>lk)(4>%,k\^ =H(X U ...,X K ). 

As a result we get that 

S(XBB') = H(X) + Px{x)H(X u ...,X K ) = H(X) + H(X U X K ) 
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and analogously, 

S(AA'Y) = H(Y) + H(X 1 , . . . , \ K ) , 
yielding the desired statement as follows: 

S(X; BB') - I(X; Y) = H(X) + S(BB') - S(XBB') - I{X; Y) 

= H(X) + S(BB') - (H(X) + H(\ lt . . . , \ K )) - I(X; Y) 
= H(Y) + S(AA') - (H(Y) + H(X 1 , X K j) - I(X; Y) 
= S(AA';Y)- I(X;Y). 

The equality S(AA') = S(BB') follows from the purity of \ip). □ 
C.2 Proof of Lemma 4.3 

In the case where A' and B' are both trivial, then \tp) £ £(Px,y) is a regular embedding and 
the statement holds trivially. In the case where A' is trivial and B' is not, we have shown in the 
proof of Lemma 4.2 that an embedding \ip) of Px,y is locally equivalent to a state <g> \a) for 
\ip*) €. £(Px,y) and a pure state \a). An analogous statement holds if B' is trivial and A' is not. 
Therefore, in these two cases we get for some <G £(Px.y) that = A^*. 

Now assume that both A' and B' are non-trivial. Embedding \ip) of Px.y can be written as 

\*l>) = E^, y y/Px,Y(x,y)\x, v)ab\ ( P X ' V )a'B'- 

In the proof of Lemma 4.2 we show the existence of two local unitary transforms XJ aa' an d 
Ubb' on Alice's and Bob's side that transform into J2k V^k^k) ab ® \k,k) A , B , for a set of 
orthogonal states and \ipk) & £(Px,y) for each k. 

If Alice measures register A' or Bob measures B' in the basis {|fc)}fc, she/he transforms the 
state defined above into the state \ipk) AB ® \k,k) A , B , with probability \. Measuring register 
A' arbitrarily does on average not increase S(AA' ;Y), and analogously, measuring B' docs not 
increase S(X;BB') on average. Hence, it follows from Holevo bound (Theorem 2.1) that 

S(AA'; Y) = S{A- Y) + S(A'; Y\A) > S{A; Y) + S(K; Y\A) = S(AK; Y) , 

where K denotes the random variable associated with the measurement of register A' in the 
computational basis. Therefore, the leakage of \ip) is at least the average leakage of one particular 
strategy, i.e. A^ > Ylk^ k ^k- Hence, there must exist a k such that for \tp*) := \tpk), it holds 
that A^ > A^* . □ 



C.3 Proof of Theorem 4.5 

In fact, the random variables X \ Y and Y \ X in the claim can be replaced by any variables 
X' and Y', satisfying that X <-» X' <-> Y and X <-» Y' <-> Y are Markov chains, and that 
Y' = fy{Y) and X' = fx{X) for some deterministic functions fy and fx- For such random 
variables we then have I(X';Y') = I(X;Y). Therefore, showing that for \ip) e £(Px,y) with the 
lowest leakage among all embeddings of Px,y (its regularity follows from Lemma 4.3) and for some 
\tp*) € £(Px',Y') , it holds that 

Stf,(B) - I(X;Y) = A^(P x ,y) > Ar{P x >,v) = S r (B)-I{X';Y') 

is equivalent to proving S^(B) > S^*(B). First, we show that there exists \ip) € £{P X y) such 
that S${B) > Sj(B), i.e. Aj,(P x ,y) > A^(P X>Y >). The existence of \ip*) such that A^(p x ,y>) > 
A^»(Px',Y') follows from an analogous argument. 
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State \ip) can be written in the form: 



\i>) = Y,\l Px >Y{x,yY e(x ' v) \x,y)- 

For any realization y' ofY', let O y > := {y : f Y (y) = ?/}• WLOG assume that O y i = {1, . . . , k v >}. 
Let g be a bijection of the form g(y) = {f Y {y),j v ), where j y e {1, . . . , k fy („)}. A pair 
determines its g-preimage uniquely and therefore, in the following we sometimes encode y by 
fy{y)jy — (y' Formally, there is a unitary transform U of Bob such that 

l A ® U\1>)\0) B = £ JPx,Y(x,y)e i9 ^\x,My)3v) 
x,y 

= yjPx,Y-M)\x, y') E y/PY\Y>= y >(9-Hv , J))e i$(x,B ~ 1( - v ' >i)) \J) ■ (2) 

Our goal for the rest of the proof is to transform the register containing j into a form where 
the order of the summations over (x, y') and j in (2) can be reversed to get a state of the form 

1 * 

where t is some normalization factor and each l^-) is in £(Px.y')- Our claim that there exists 
a state \ip) e £(Px.y') such that S^(B) < S^(B) then follows from concavity of Von Neumann 

entropy i.e., from the fact that the average of the entropies of the states {tr^ \"4>j)(ijj\}j is smaller 
than the entropy of their mixture which is equivalent to tr^ IV'XV'I- 

In order to reverse the order of summation in (2), we show that there exists a unitary W on 
Bob's system such that 

1 * 

(Ia ® W){1 A ® f/|V)|0) s )|0) B = |^) = -j \^) ab \ z )b . 

where each \ip z ) is a quantum embedding of a joint random variable XY, with the distribution 
arbitrarily close to distribution Px.y ■ 

Equality (2) suggests to construct the states \^P z )ab by disentangling the register containing j 
from the registers containing (x,y'). This method will indeed lead us to the result but only after 
some pre-processing of the register containing j. First, we show how to split the register with j 
for each value of y' into a uniform superposition of t values which Bob can measure afterwards 
to determine the index z of an embedding \ip z ). The uniformity over the register containing the 
indices ensures that measuring the index does not have any impact on the probability distribution 
Px,Y' implemented by \ip z ). 

Consider i e N such that < 1/t <C mm y {PY\Y'=f Y {y)(y)}- We can ensure that each y' <E 
y' is split into exactly t index-values z, by adaptively defining a function [tP Y \f Y (Y)=y>(y)]y <= 
{[ ] , |_ J}, indicating into how many values z a given y such that fy(y) = y' splits. This procedure 
is elementary, but somewhat technical, and we postpone the detailed description to the end of the 
proof. 

For an event y' of Y', define t '■= and for i £ {1, . . . , k y >}, 

U := Y^i tP Y\fY(Y)=y'{y',j)]y',j ■ 

j<i 
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Let Bob's unitary transform W acting upon the registers containing Y' , j e {1, . . . ,ky} and 
ancillas set to 0, be defined as follows: 



W\y',j)\0) = \y')- 



E i*>- 



Vl P Y\f Y (Y)=y>{y',j)t\y>j z=t ._ i+1 

The definition of [ ] y implies that for each y': tk , — t, thus z G {1, . . . , t}. We can write 



\<p) :=(I A ®W)((I A ®U)\iP) AB \0) B )\0) B 

k 1 .r 



J2JPx,Y'(x,y')\x,y')J2 



PY\f Y (Y)=y'(y',j) iQMy'j)) 



x,y' 



For the term 



Y\f Y (Y 



)=y> fa') 



[ P Y\f Y (Y)=yl(y)t]y 



P Y \f Y (Y)=y>(y) 1 



[P Y \f Y (Y)=y'{y)t]y t 



=1 V [ P Y\fY(Y)=y'{y'J)t]y>, 3 



from (3) we have 



tP Y\f Y (Y)=y'(y) - [ P Y\f Y (Y)=y'{y)t]y 



E i z >- ( 3 ) 



< 



t[PY\f Y (Y)=y'(y)t]y 
1 



P Y \f Y{Y )=y'(y)t 2 -t P Y \f Y (Y)=y>{y)t 2 \t 3 J ' 



(4) 



Now we can finally swap the summations to isolate z as promised earlier. From (3) and (4) follows 
that 



\ V ) = ]T y/p^M)M)E e " M *y\ + ^ |Z) 

x,3/' z=l 

=4e(e^ w '^ 



e(y',z) 



yjp x ,y(x,y>)\x,y f ) \z), 



where < min ^ p ^ * ^ and since a pair (y',z) uniquely determines y that it came 

from, 8'(x, y' , z) — 6(x, y) for y corresponding to (y 1 , z). If Bob measures z, the state \<p) collapses 
to 



^ e i0'(x, w ',z)^ 1 



e(y',z) 



The state |^ z ) lies in £{P X Y ) for a joint probability distribution P x Y which is arbitrarily close 
to Px,Y' ■ The distance of the two distributions depends on the choice of t. 

Hence, for any S > there is a way to pick a unitary transform Wg (with t large enough) such 
that after applying Ws and measuring z, the corresponding quantum systems satisfy \S^(B) — 

S$ M {B)\ < S for some \j> x ) e £{Px,y>). 

Concavity of Von Neumann entropy together with the fact that the state ^2 Z=1 \i>z)\z) is 
locally equivalent to imply that 



-irS^{B)<S^(B). 



z = l 



Therefore, S^{B) > mm z {S^^ (B)}, and S x p{B) > min z {5^^ (B)} — S for S arbitrarily small. 
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Continuity of Von Neumann entropy yields S^(B) > S^(B) for some \ip) £ £(Px,Y'), which is 
what we wanted to show. 

Finally, it remains to give the correct definition of [ ] y : For any y' , let us start by setting 
[ tP Y\f Y (Y)=y'{y)]y-= [ tP Y\f Y (Y)= y '(y)\ for all y : f Y (y) = y'. We now increase the value of 
[tPY\f Y (Y)=y'(y)]y m steps and show that at some point, this value equals t. Let < i < k y >. 
In the i-th step, replace [ ] y i^ = [ J with [ ] y ' ti = \ ]. After k y i steps, [ ] y = \ ] for all y : 
fr(y) = y '■ In every step the sum Y Jy j Y {y)=y'[ tp Y\SY{Y)=y'{y)]y increases by at most 1. Clearly, 
since Y. y p Y\f Y (Y)= v >{y) = 1, we get that 

(Y)=y'(y)\<t and \t P Y\f Y (Y)=y>(y)]>t, 

y,f Y (y)=y' y,f Y (y)=y' 

thus for some i, Y.yJ Y (y)=y>\ tP Y\f Y (Y)=y>{y)]y = t. □ 

C.4 Proof of Theorem 4.8 

State \ip) AoAtBoBt "= £{ p x',Y') can be written in the form: 

w= E v^^Ui^u*. 

where each \tp x ) is a regular embedding of Px'y'y{\x[=x- Since 

^(^V) < S^(Y'\A ,X[) =^2Px' 1 (x)S^,x{Y'\Aq,X' 1 =x), 

X 

we obtain for the leakage of \ip) that 

A*(Px>,y>) = H(Y'\X') - S^(Y'\A) 

> H{Y'\X') -J2 p xi(x)S^(Y'\A ,X[ = x) 

X 

= J2P x ,(x)(H(Y'\X' ,X[ = x)- S^(Y'\A ,X[ = x)) 

X 

= J2 P X l (x)A i ,*(P X ,, Y ,y, ]X , =x ). 

X 

By applying the same argument to each \ip x ), we obtain that 

A/,(Px',Y') >YPx[Yi{x 1 y)A x p,,y{P xlvY > ][X[=x .Y l=y ) , (5) 

xy 

where each \tp x > y ) is a regular embedding of Px'£,Y '|x(=x,Y 1 '=y For each (x, y) such that P x ^y i ;\x' 1 =x,y{=' 
Px,y is satisfied, we get that 

A^.v (P x i j Y( ' ) \X' 1 =x.Y;=y) > A Px Y . 

Since T, x ,y:P x , Y , ixl=XtY , =y ~p x , Y P x[,Y({x,y) > 1 - 5, we get from (5) that 

^(Px-'.y) > (l-5)Px,y. 

□ 
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C.5 Proof of Theorem 4.6 



Theorem 4.5 implies that if there is a 0-leaking embedding of Px.y than there is also a 0-leaking 
embedding of Px\y.y\x ■ Let us therefore assume that \tp) is a non-leaking embedding of Px,y 
such that X = X \ Y and Y = Y \ X . We can write \ip) in the form \ip) = J2 X y/Px( x )\x)\f x } 
and get p B = J2 X Px(x)\<fi x )(<Px\- For the leakage of \tp) we have: A^{P x ,y) = S(p B )-I(X; Y) = 0. 
From the Holcvo bound (Theorem 2.1) follows that the states {|</?a;)}2; form an orthonormal basis 
of their span (since X = X \ Y, they are all different) and that Y captures the result of a 
measurement in this basis, which therefore is the computational basis. Since Y — Y \ X, we get 
that for each x, there is a single y x € y such that \(p x ) = \y x ). The primitives Px\y,y\x and 
Px,y are therefore trivial. □ 



C.6 Tripartite Embeddings and Proof of Theorem 4.7 

It is natural to generalize the scenario involving only two parties to the setting where the two players 
also have access to a particular trusted third party who provides them with classical variables 
X',Y' sampled according to distribution Px>,y>- The state produced by purifying Alice's and 
Bob's actions in such a protocol up to the final measurement yielding X and Y can without loss of 
generality be viewed as a pure state shared among Alice, Bob and an environment \^) eaba'B' = 
S e \/P E ( e )\ e ) e ® IV' 6 ) aba'B' ■ We define tripartite embeddings of a primitive Px,y analogously 
to the case of embeddings: 

Definition C.l. A state = ^2 e PE(e)\e) E £g> ^^aba'B' * s a tripartite embedding of Px,y, if 
measuring registers A and B in the computational basis yields X, Y with distribution Px,y and the 
ensemble pabA' B' ■= ti E IV'XV'I satisfies S(X;YB r ) = S(XA';Y) = I{X;Y) . 

The generalization of the notion of leakage to tripartite embeddings is straightforward: 

Definition C.2. Let € 'He^'HabA'B' be a tripartite embedding of Px.y- We define the leakage 
of p aba'B' '■= trg \ip){ip\ viewed as an implementation of Px.y as 

A p ABA 'b' (Px.y) ■= max {S(X; BB') - I(X; Y) , S(AA'; Y) - I(X; Y)} . 

The leakage of a tripartite embedding is non-negative, for the same reason as in the bipartite 
case however, it is not necessarily symmetric. 

Lemma C.3. A non-leaking tripartite embedding \ r 4>) eaba'B' °f Px.y implements Px.y ideally 
(which means: equivalently to the ideal functionality). 

Proof. As we can see below, the statement generalizes Theorem 4.6. Here we assume that in 
\ip) eaba'B'i Alice's and Bob's entire registers are used to compute X and Y i.e., there are no 
additional registers. This is without loss of generality because for any Y capturing the result of 
measuring only a part of Bob's register, we get that 

S(X; B) > I(X;Y) > I(X;Y). 

Hence, being a non-leaking tripartite embedding of P x y implies that \ip) is a non-leaking 
tripartite embedding of Px,y ■ Clearly, also implementing Px.y ideally implies that imple- 
ments P x y ideally. Therefore, showing that if \ip) is a non- leaking tripartite embedding of P XY 
then it implements P x y ideally is equivalent to showing that if \ip) is a non-leaking tripartite 
embedding of Px,y then it implements Px,y ideally, for Y capturing the result of measuring the 
entire register of Bob. An analogous argument holds on Alice's side. Therefore, the respective ad- 
ditional registers A' and B' of Alice and Bob can be taken trivial. Because \^P) EAB is 0-leaking, 
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we have that S(X; B) = I(X; Y), which by the Holevo bound (Theorem 2.1) implies that we can 
write ^ 

tv EA mi,\ = Y J Px{x)tv E \v x ){v x \, 

x 

where all trg I^^Xt/p 35 1 are simultaneously diagonalizable. If the common diagonal basis of these 
states is {|z)} z , then the cq-state shared between Alice, holding her classical output, and Bob is 



Ph=E E {Px\ fz (z)=z>{x)\x)(x\) a z ' 

z> \ X / 



where f z (Z) := Z \ X and 



E a *\ z )( z \- 

z:fz(z)=z' 



This is a purely classical state, implementing the distribution Px,z securely on Bob's side. Any 
information that Bob can learn about the distribution of X is via the distribution of Z \ X that 
he learns by measuring his part. Hence, for the honest measurement of Bob captured by Y, we 
have that X^>Z\X^>Y\Xis& Markov chain. From the assumption S(X; B) = I(X; Y) 
we get: 

S(X; B) = I(X; Z) = I{X; Z\X) = I{X; Y) = I(X; Y \ X) , 
yielding S(X\Y \ X) = S(X\Z \ X). Due to the Markov chain property, 

S(X\Z \X,Y\X) = S(X\Z \ X) , 

implying that 

S(X\Y \X,Z\X) = S(X\Y \ X) , 

i.e. X^Y\X^Z\Xis also a Markov chain. Since both Z \ X and Y \ X are 
minimum random variables (see Section 2 for the meaning of "minimum") Wz, Wy such that 
X <-> W z <-» Z \ X and X <-> W Y <-» Y \ X are Markov chains, we get that Z \ X = Y \ X. 
Then pxs can be written as: 

Pxb =^2J2(P x \f Y (y)=y'(x)\x)(x\) p y ' , 

y' x 

where the support of each of p v only contains y- values such that fy(y) =y'-lt follows that then, 
Pxb privately implements Px,y\x on Bob's side. Analogously, S(A;Y) = I(X;Y) implies that 
Pay privately implements Py\x y on Alice's side. In such a case, tr^ \tp){tp\ = tiEA l^'X^'l an d 
tY EB \4>M=tr EB WW\ for |V) 

sab satisfying 



l ab = \/ p x\y,y\x{x', y')\x', y 1 ) E 

x 1 , y' 



AB 



where 



AB 



E 



a x ' y \x,y) 



x,y-fx(x)=x' ,f Y {y)=y' 



For S(X; B) we then get that 

S(X- B) = I(X\Y;Y\X)+J2 Px^y,y^x (x' , y')S(tv A 



x',y' 



I(X-Y) + J2 Px^Y,Y^x(x',y')S(tv A 

x> ,y' 
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Hence, equality S(X;B) = I(X;Y) can hold only if all \oj x ' ,v ') are product states, implying 
that from each party's point of view, a non-leaking tripartite embedding has to be equivalent to 

\J P X\YX\x(x\y')\x\y') E ^ Px\X\Y=x>{x)\x) \/ PY\Y\X=y>{y)\y) B - ( 6 ) 
x',y' x y 

Clearly, such a tripartite embedding implements Px,y ideally. Furthermore, in such a case for 
I^eab = l e ) e\^ C ) ab> eacrl IV' 6 ) has to be an embedding of a trivial primitive. Since the 
knowledge of e then enables Bob to learn the value of X \ Y completely, S{E\B) > H(X \ 
Y\Y) needs to hold. Analogously we can show that S(E\A) > H(Y \ X\X). Notice that in the 
case of a bipartite embedding, this can only happen if the computational basis is the Schmidt 
basis for both Alice and Bob. It follows that the distribution of Px\y.y\x is then of the form: 
Px\y,y\x(x', y' x ,) = P X \y(x'), where for x' ^ x[, y' x , Q ^ y^, . Primitive P x .y is then trivial and 
the claim of Theorem 4.6 follows. □ 

Proof (Proof of Theorem 4-7). Consider a quantum protocol equipped with a black box for Px.y- 
Due to (6), from the players' perspectives, such a protocol is indistinguishable from a protocol 
where S(E\A) < H(Y \ X\X) and S(E\B) < H(X \ Y\Y) during the entire protocol execution, 
with the following black-box implementation of Pxy- 

W)eab = E ^JPx^Y,Y^x(x',y')\x', y') E \x', y') AB . (7) 

x',y' 

The bits that each player receives from a black box for Px,y are only classically correlated with 
the environment and with the outcome of the other player. It follows that at any moment of 
the protocol's execution, honcst-but-curious players can measure their parts of the black box 
output, store their respective classical outcomes, and proceed further without being detected. 
Such a measurement on Alice's side extracts incomplete information about the environment which 
therefore partially collapses. If the measurement takes place at the beginning of the computation, 
where it is not preceded by any non-invertible operation such as another measurement, then Alice's 
uncertainty about the environment at this point is HiY \ X\X). Since the environment remains 
unaffected during the protocol's run, S{E\A) cannot exceed this value at any time later. 

WLOG now assume that H(Y' \ X'\X') > H(Y \ X\X). There is a tripartite embedding of 
P x ,y of the form (7), where S(E\A) = H(Y \ X\X). We have argued that the protocol for P X ',y> 
built upon such a black box is indistinguishable from the same protocol using a different black 
box for Px,y and furthermore, S(E\A) < HiY \ X\X) during the entire run of the protocol. 
However, in the proof of Lemma C.3 we have shown that in any non-leaking tripartite embedding 
of P X >,Y>, S(E\A) > H(Y' \ X'\X') must hold. Since H(Y' \ X'\X') > H(Y \ X\X), the 
protocol must leak information. □ 



D Leakage of Universal Primitives 
D.l Exact calculations 

First, we look at the leakage of the embeddings of Rabin String OT (ROT r ). 

Theorem D.l. Any embedding of Pxy * s a< least (1 — 0{r2~ T )) -leaking. Forr = 1 any embedding 
is at least (h(j) — 5) ~ 0. ill-leaking. Furthermore, the leakage is the same for all embeddings of 

r>ROT r 

r X,Y- 



24 



Proof. Let 

2 ze{o,i}- 2 \se{o,i}'' / 

where _L denotes an erasure, be a general form of an embedding of Pfy. 

Define \ip) : = ^772 Ei£{o i} r e'^'-^lx). If Bob guesses the value of Alice's string successfully, 
Alice gets an ensemble p° — jF^2xe{a i} r \ x )( x \- ^ an erasure occurs on Bob's side, Alice gets 
P 1 = IvXvl- We find S(A) by computing the eigenvalues of pa '■= \{p a + p 1 )- 

Since p° = -^Ia, \v) is an eigenvector of pa if and only if it is an eigenvector of p 1 . If \v) is an 
eigenvector of p 1 then either a) \v) — e l6 \ip) or b) {v\ip) = 0. If a) is true then 

PA\v) = l(p°\v)+p 1 \v)) = ±(l + ±?) \v), 

whereas in the case b), 

PA\v) = l(p°\v)+p 1 \v)) = ^ I . 

The state pa has eigenvalues {5 + t^tt, t^tt}, where — tt has multiplicity 2 r — 1. can then 

be computed as follows: 

( \ 1 \ / 1 1 \ 2 r — 1 
^ = -( v 2 + 2^J l0g U + 2^J + ^ (r + 1) 

2 + 2^+i J V ln2-2'' + ° J + ~2 2^ ~ 2 V2V ' 

Since I(X; Y) = |, for the leakage we get: 

A^(^) - ^(A) - I(X;Y) = 1 - O (£) . 
As we can see, the leakage does not depend on the phase-function 0. □ 
In the following theorem we minimize the leakage of an embedding of Pxv 

Theorem D.2. Any \tp) e £(Px,y) * s °^ ^ eas ^ ^-leaking. The leakage is minimized by the canonical 
embedding. 

Proof. Let 

1^ = ^71 £ e»<*°*^\x oXl )\cx c ) 
* x ,xi,ce{o,i} 

be a regular embedding of Pxy Without loss of generality assume that 0(00, 00) = 0. Notice that 
for the local phase-change transforms 

U A := |00)(00| + exp(i0(Ol, 00))|01)(01| + exp(i(0(lO, 10) - 0(00, 10)))|10)(10| 
+ exp(i(0(lO, 10) + 0(11, 01) - 0(00, 10) - 0(10, 01)))|11)(11|, 

U B := |00)(00| + exp(i(0(OO, 10) + 0(10, 01) - 0(10, 10)))|01)(01| 
+ exp(i0(OO, 10))|10)(10| + exp(i(0(Ol, 11) - 0(01, 00)))|11)(11|, 



we get 



U A ® C/» = W) = |(|0+)|00) + |1+)|01) + |+0)|10) + |0)+ ^" |1) |1)|11)) . 
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where to = 9(00, 10) + 9(01, 00) + 0(10, 01) + 0(11, 11) - 0(01, 01) - 0(10, 10) - 0(11, 01). 

Let A' denote Alice's quantum system for Alice and Bob sharing \ip'). Since S(A) = S(A'), we 
can minimize S(A') in order to minimize S(A). Assume that Alice and Bob share \ip'}. For Bob's 
selection bit c = 0, Alice gets an ensemble po = i(|0+)(0+| + |1+)(1+|), whereas for c = 1, she 
gets Pl = |(|+0X+0| + (|01) + e^|ll))((01| + e"*" (11|)), where p A , = \(p + Pl ). By solving the 
characteristic equation of pa> we get the set of eigenvalues {j{1 ± cos j), \(1 ± sin j)}. S(A') can 
then be expressed as follows: 

, / l-cos(w/4) n M- l-sin(^/4) s, 

S(A') = 1 + ^ 2 2 1 . 

By computing the second derivative of f(x) = h( X ~^ ), we get that ,f"(x) < in [0, 1], implying 
that / is concave in [0, 1]. For a e [0, 1], Jensen's inequality yields ^C^+^t 1 ) < f(a), and therefore, 
m+m < /( a)+/(i-a) _ Conscquently; thc m i n i mum f h ( l=£°^l*l ) + fo( l^gisMf) ) = /( cos 2 |) + 

/(sin 2 j) is achieved for w = and in this case, 5(A') = |. 

Finally, we can conclude that the leakage is minimal for the canonical embedding and (Px,y) = 
S(A)-I(X;Y) = S(A')-I(X;Y)> %-l = ±. ' □ 

There is also a more direct way to interpret this quantity in the case of the canonical embedding 
\ipo) for Pxy : ^ Alice and Bob share a single copy of |^o) then there exist POVMs for both of 
them which reveal Bob's selection bit to Alice, and the XOR of Alice's bits to Bob, both with 
probability §. Let = ^(|00> ± |11», 1^) = ^(|01) ± 1 10>) denote the Bell states, and 

|±) := ^7j(|0) ± |1)). Observe that thc canonical embedding |^ ) of P'xy can be expressed as 
follows: 

^||r)^ t ||.-) B ^ t i l++ - 

In order to get the value Xq@xx of Alice's bits Xo and X\, Bob can use POVM B = {B , Bi, B?} where 
Bo := \(W~) - \<p-))((*-\- (#-|), B x := |(|#+) - |*+»«#+| - (#+|), and B ? := |++)(++|. It is 
easy to verify that Bob gets outcome B z for z e {0, 1} (in which case xo x\ — z with certainty) 
with probability \. Alice's POVM can be defined as A = {Ao,Ai,A?} where Ao := | — h)( — h|, 
Ai := |H — )(H — |, and A? := I2 — Ao — Ai. By inspection we easily find that the probability for Alice 
to get Bob's selection bit is 1 — tr((A? ® I2) | V'oXV'o | ) = \- For any regular embedding of P'xy we 
can construct similar POVMs revealing the XOR of Alice's bits to Bob and Bob's selection bit to 
Alice with probability strictly more than j. 



D.2 Lower Bounds 

Theorem D.3. Any embedding \ip) 0/ Pf y is (1 — 0(r2~ r )) -leaking. 

Proof. We use Theorem 4.8 to show that any (regular) embedding of P'xy leaks at least as much as 
some regular embedding of P^y- Let (Aq, Ai) and B denote Alice's and Bob's respective registers. 
Then \iP)a a 1 b *= ^C^x.V) can be written in the form: 

a;e{0,l} r 

where each 

l^>= 2(^1)75 E (^'" 0) N')' 4o |0, a :') B + e ie(K ' a; ' 1) l-'>A |l^> B ) 

rr'G{0,l} r 
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can be viewed as a regular embedding of Pfy. According to Theorem 4.8 and Theorem D.l, we 
get that 

A po ^ > Ap^r = 1 - 0(r/2 r ) . 

a 



Theorem D.4. If p < ± - ^ then A p ^ > v '> . 

Proof. Before starting with the actual proof, we formulate a useful statement, relating two measures 
of uncertainty of a quantum ensemble. 

Theorem D.5 (Average Encoding Theorem [KNTsZOl]). Let B denote a quantum system 
storing the quantum part of a cq-state pxe — J2 x ex Px{x)\x){x\ ® p x E . Then 



Y^Px{x)\\pE-p X E\\i<^2{\n2)S{X-B). 

X 

Let us start with the proof of Theorem D.4. First, we show that for any regular embedding of 
Px,Y a Y! such that Y and Y\ are independent, 

S(A; YqYi) < S(A; Y ) + S(A; Yi) . 

We can write 

S(A; Y ) + S(A; Yi) = H(Y ) + if (Yi) - S(Y \A) - S^A) 
= H(Y Y 1 ) -S(Y \A) -S(Yl\A) 

< H{Y Y 1 ) - SiYoY^A) = S(A; Y Yi). (8) 

Let X, Yo,Y± be random variables corresponding to Alice's pair of bits, Bob's selection bit, 
and its value, respectively. For " Y we have that I(X; Y Yi) = 1 — h(p). S(A; Y Yi) can then be 
lower-bounded by 

S(A; YoY,) > S(A; Y ) + S(A; Y x ) > S(A; Y ) + (1 - h(p)) . 

Hence, for computing the lower bound on S(A;YqYi) 1 we only need to compute the lower bound 
on S(A; Y ). A state \ip) e £{P°^ F Y ) can be written as 

|V,) = ^(|^o) ABl |0) Bo + |V^ Sl |i) Bo ). 

Let p° A := tr Bl IV'oXV'ol and p\ := tr Bl |-0i><Vi I - 
By applying Theorem D.5 from above, we get that 



\\p° A -p\\\i < V8(ln2)5(A;r ), 

and therefore, 



\\P°A-P\\\i < S (A;Y ). (9) 



8 In 2 

The trace norm of p A — p\ yields an upper bound on the entries of the matrix: 

\(p A-PAh\<\\P°A-PA\\l- (10) 
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We can write the state \ip) in the form: 

IV>> = ^£K°'^|yo,yi> BoSl , 

vo,yi 

where 

M = J^i:e ie{M %,x) A \0,y) BoBi + Mi:e^^\y, X ) A \0,l-y) BoBi 
= \f^i2 eieiX,V,1 ' y) \ x ^AMB 0Bl + Vf Y,e ie ^^\x,y) A \l,l-y) BoBi . 

x=0 " a;=0 

By evaluating the entries of — p\) we get a simple lower bound on \(p A — p A )ij\ for i ^ j £ 
{0,...,3}: 

\{P A -P\h\> 1 -^-^^ (ID 

hence, from (10) follows that 

IIPa-PaIIi> 
yielding due to (8) and (9) that 

S(A; Y Y 1 ) > 1 - h(p) + S(A; Y Q ) > 1 - h(p) + ( 2 ' " 



o i „ ^ 1 - 2p y/(l~p)p 
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The lower-bound is non-trivial if 1/2 — p — — p)p > 0, which is true for p < | — The 
results yields the following lower-bound on the leakage of P^ P Y - 



q/2-p-#^ 

za o ot p • 

p x r - 32 In 2 

However, this lower-bound is very loose, since for p = we get that 

ApoT > - — Rj 0.011 , 

X - Y ~ 128 In 2 

which is much weaker than the optimal 

1 

ZApOT — . 

X - Y - 2 

It remains to mention that by using more careful analysis of the phases of \<fo.y) and \<fii, y ), 
the lower bound on the absolute value of the outside-diagonal entries from (11) can be improved, 
yielding a non-trivial lower bound on the leakage for p > 0.15 and eventually, even for any p < 1/4. 
It is possible that for the values of p close to 1/4, we can get a lower bound with a better ratio 
compared to the real value of the minimum leakage of an embedding of P % P Y . □ 



2<S 



